Snort-alerts/portscan-TCP-Portscan
portscan: TCP Portscan
Identification
| Id | 122-1 |
|---|---|
| Alert | portscan: TCP Portscan |
| Classification | unclassified |
Trigger
This event is generated when the sfPortscan pre-processor detects network traffic that may consititute an attack.
A portscan is often the first stage in a targeted attack against a system. An attacker can use different portscanning techniques and tools to determine the target host operating system and application versions running on the host to determine the possible attack vectors against that host.
More information on this event can be found in the individual pre-processor documentation README.sfportscan in the docs directory of the snort source. Descriptions of different types of portscanning techniques can also be found in the same documentation, along with instructions and examples on how to tune and use the pre-processor.
Impacts
Unknown. This is normally an indicator of possible network reconnaisance and may be the prelude to a targeted attack against the targeted systems.
Affected systems
All connected network gears
False positives
While not necessarily a false positive, a security audit or penetration test will often employ the use of a portscan in the same way an attacker might use the technique. If this is the case, the pre-processor should be tuned to ignore the audit if so desired.
Scenario
An attacker wants to first check open ports on a computer. He/she scans the remote host with a specific tool like Nmap.
Example
Thank you for your comprehension.
Corrective actions
- Check for other events targeting the host.
- Check the target host for signs of compromise.
- Apply any appropriate vendor supplied patches as appropriate.